Вы находитесь на странице: 1из 3

6/2/2014 How to Upgrade an High Availability (HA) Pair | Palo Alto Networks Live

All Places > Knowledge Base > Documents

How to Upgrade an High Availability

(HA) Pair Version 11

created by djipp on Oct 29, 2012 5:27 PM, last modified by djipp on Feb 7, 2014 9:21 AM

The following instructions for upgrading an HA pair are recommended because:

It verifies HA functionality before starting the upgrade.
It ensures the upgrade is successfully applied to the first device before starting the upgrade on the
At any point in the procedure, if any issue arises the upgrade can be seamlessly reverted without any
expected downtime.
When finished, the final active/passive device state will be the same as it was prior to the upgrade with
the least number of failovers possible (2).

Before beginning, we recommend disabling preempt to avoid possibility of unwanted failovers. Disabling
preempt configuration change must be commited on BOTH peers. Likewise, once completed, re-enabling
must be commited on both peers.

1. First suspend the active unit from the CLI run the command:
From the GUI go to Device > High Availability > Operations > Suspend local device.
Note: This will cause an HA failover. It is recommended to do this first to verify the HA functionality is
working before initiating the upgrade.
2. Verify network stability on the new active device with the previously active device suspended.
3. Install the new PAN-OS on the suspended device, then reboot the device to complete the install.
4. When the upgraded device is rebooted, the CLI prompt should show passive(or non-operational, if on
a different major release ie 4.0 to 4.1) and the PAN-OS version should reflect the new version.
5. On current passive device, verify auto commit completes successfully (FIN OK) by running command:
showjobsallbefore proceeding to the next step.
6. Suspend second device (should be current active device).
7. Upgrade the second device, then reboot it. When second device reboots, the first device that was
already upgraded, takes over as active.
8. As HA functionality was verified (step 1) and the config was successfully pushed to the dataplane on
the new PAN-OS (step 5), the failover should be seamless.
9. When the second unit reboots it will come up as the passive unit. Validate the auto commit completes
on this device by running command: showjobsallon this device (as done in step 5) to complete
the upgrade. The original active device before the upgrade will be the active device now.

Note: For upgrading Active-Active HA pair, the same steps are followed in the exact manner for upgrading

https://live.paloaltonetworks.com/docs/DOC-4043 1/3
6/2/2014 How to Upgrade an High Availability (HA) Pair | Palo Alto Networks Live

the Active-Passive pair. All the steps/terms used for Active and Passive devices can be correlated to
Active-Primary and Active-Secondary, respectively.

How to Downgrade
If an issue occurs on the new version and a downgrade is necessary:
Run the command debugswmrevertto revert back to the previous PAN-OS version.
This causes the firewall to boot from the partition in use prior to the upgrade. Nothing will be uninstalled and
no configuration change will be made.

Note: In some instances, when upgrading from PAN-OS 3.1 to PAN-OS 4.0 the web-server certificate may
get deleted from the configuration, this will result in the web GUI becoming unavailable after boot.

See also
Unable to Access the GUI after Upgrade to 4.0.1
Web UI Issues After Downgrading from PAN-OS 4.0

owner: djipp

6960 Views Categories: Setup, Management & Administration

Tags: ha, high_availability, active_active, active_passive, software_upgrade

Average User Rating

(22 ratings)


etnerual Mar 20, 2013 1:33 PM

Just wanted to share this info. I upgraded from 3.x to 5.x and after performing step #6 from above both
devices ended up in suspended mode - none were active. Apparently, the unit that was upgraded to
5.x remaind in suspended mode because the other HA unit version was "too old." I tried request high-
availability state functional on the 5.x unit but that didn't work. I was forced to disable HA on the 5.x
unit for it to be functional again.

Lesson: Don't expect HA functionality to work after upgrading couple major releases.
Like (0)

djipp Mar 23, 2013 4:37 AM (in response to etnerual)

The correct upgrade path from 3.1 to 5.0 is 3.1.x -> 4.0.x -> 4.1.x -> 5.0.x. Each step must be
completed on both devices in the cluster before proceeding. Upgrades directly from PANOS
3.x to 5.x should not be attempted in HA.

Like (1)

https://live.paloaltonetworks.com/docs/DOC-4043 2/3
6/2/2014 How to Upgrade an High Availability (HA) Pair | Palo Alto Networks Live

etnerual Mar 26, 2013 12:36 AM (in response to djipp)

If you want to upgrade and retain all of your configs then PANOS will not allow you to
skip major releases.
Like (0)

MCmgt Mar 20, 2014 10:56 AM

Thanks, worked great today. Some enhancement ideas:

Include instructions for how to disable preemption.

Include GUI instructions for all steps.
Integrate doc-1115 to provide more detail in the "verify auto commit completes" step. It took me a
while to figure this out. A note as to the time this step can complete (30minutes) would be good.
In the "upgrade the second device" step I noticed that the failover took place during the
upgrade...before the reboot

Like (0)

PrivacyPolicy LegalNotices SiteIndex Subscriptions

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-4043 3/3